Hide Forgot
Description of problem: contrary to the man page, rpm keeps adding signatures to rpm packages when attempting to sign them. Version-Release number of selected component (if applicable): rpm-4.8.0-12.el6.x86_64 How reproducible: 100% of the time Steps to Reproduce: 1. create a 4096 bit rsa signing key with gpg 2. find a test RPM package 3. rpm --resign the package 3 times. 4. rpm -K the package Actual results: find 3 insertions of the GPG key into the package. Expected results: find 1 insertion of the GPG into the package as the man page states. Additional info: From the man page: "rpm --addsign|--resign PACKAGE_FILE ... Both of the --addsign and --resign options generate and insert new signatures for each package PACKAGE_FILE given, replacing any existing signatures. There are two options for historical reasons, there is no difference in behavior currently." A simple demo: root@hostname:~/rpmbug >rpm -K somedumbrpm-1.0-1.0.noarch.rpm somedumbrpm-1.0-1.0.noarch.rpm: sha1 md5 OK root@hostname:~/rpmbug >rpm -vv --resign somedumbrpm-1.0-1.0.noarch.rpm Enter pass phrase: Pass phrase is good. somedumbrpm-1.0-1.0.noarch.rpm: D: Expected size: 21684 = lead(96)+sigs(180)+pad(4)+data(21404) D: Actual size: 21684 D: GPG sig size: 543 D: Got 543 bytes of GPG sig D: GPG sig size: 543 D: Got 543 bytes of GPG sig D: Signature: size(1296)+pad(0) root@hostname:~/rpmbug >rpm -K somedumbrpm-1.0-1.0.noarch.rpm somedumbrpm-1.0-1.0.noarch.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#deadf00d) root@hostname:~/rpmbug >rpm -vv --resign somedumbrpm-1.0-1.0.noarch.rpm Enter pass phrase: Pass phrase is good. somedumbrpm-1.0-1.0.noarch.rpm: D: Expected size: 22796 = lead(96)+sigs(1296)+pad(0)+data(21404) D: Actual size: 22796 D: GPG sig size: 543 D: Got 543 bytes of GPG sig D: GPG sig size: 543 D: Got 543 bytes of GPG sig D: Signature: size(1856)+pad(0) root@hostname:~/rpmbug >rpm -K somedumbrpm-1.0-1.0.noarch.rpm somedumbrpm-1.0-1.0.noarch.rpm: RSA sha1 ((MD5) PGP) ((MD5) PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#deadf00d (MD5) PGP#deadf00d) root@hostname:~/rpmbug >rpm -vv --resign somedumbrpm-1.0-1.0.noarch.rpm Enter pass phrase: Pass phrase is good. somedumbrpm-1.0-1.0.noarch.rpm: D: Expected size: 23356 = lead(96)+sigs(1856)+pad(0)+data(21404) D: Actual size: 23356 D: GPG sig size: 543 D: Got 543 bytes of GPG sig D: GPG sig size: 543 D: Got 543 bytes of GPG sig D: Signature: size(2416)+pad(0) root@hostname:~/rpmbug >rpm -K somedumbrpm-1.0-1.0.noarch.rpm somedumbrpm-1.0-1.0.noarch.rpm: RSA sha1 ((MD5) PGP) ((MD5) PGP) ((MD5) PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#deadf00d (MD5) PGP#deadf00d (MD5) PGP#deadf00d)
This is fixed as an intended side-effect of fixing bug 608608 so ACK, and no new code needed.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0739.html